samedi 28 février 2015

Rest API Message Signature - Questions

I've been trying explore the use of Http REST api's. I came across another SO post pointing me to how AWS signs its requests with its secret key as documented here. The secret key is used to sign parts of the message (timestamp, request path, parameters, etc..) with the idea that none of these parts can be altered without producing a different hash.


Two Questions:


1) As part of the AWS standard, part of the "string-to-sign" formed by the client is the hash of the message body. For the server receiving the message from the client, it will need to compute the hash of that message body before it can compute the message signature. My question centers around how would this be implemented? In the case of servlets, where you put a authentication servlet filter to pre-process requests, the filter would need to download the entire body before it could compute the signature. Doesn't this mean a "hacker" could overwhelm a server by making large POST requests to the server because the entire body must first be downloaded?


2) I get AWS can work without SSL/TLS due to signing the messages. How though does the secret key initially get sent to the user? Wouldn't that need to be over TLS?


Thanks!





Aucun commentaire:

Enregistrer un commentaire